I. INTRODUCTION
The Nebraska Legislature adopted LB 821 (2016), the “Workplace Privacy Act,” which will prevent employers from requesting or requiring that an employee or applicant for employment (a) provide or disclose any username or password or any other related account information in order to gain access to the applicant’s personal Internet account by way of an electronic communications device; or (b) log into a personal Internet account by way of an electronic communications device in the presence of the employer in a manner that enables the employer to observe the contents of the employee’s or applicant’s personal Internet account or provides the employer access to the employee’s or applicant’s personal Internet account.
In addition, the law prohibits an employer from requiring an employee or applicant for employment to add anyone, including the employer, to the list of contacts associated with the employee’s or applicant’s personal Internet account or require or otherwise coerce an employee or applicant to change the settings on the employee’s or applicant’s personal Internet account which affects the ability of others to view the content of such account.
The new law became effective on July 21, 2016.
II. EMPLOYER PROTECTIONS
While the new law establishes protections for employees and applicants, in the manner set forth above, it also maintains protections for employers, which allow an employer to:
(1) Promulgate and maintain lawful workplace policies governing the use of the employer's electronic equipment, including policies regarding Internet use and personal Internet account use;
(2) Request or require an employee or applicant to disclose access information to the employer to gain access to or operate:
(a) An electronic communication device supplied by or paid for in whole or in part by the employer; or
(b) An account or service provided by the employer, obtained by virtue of the employee's employment relationship with the employer, or used for the employer's business purposes;
(3) Restrict or prohibit an employee’s access to certain web sites while using an electronic communication device supplied by or paid for in whole or in part by the employer or while using an employer’s network or resources, to the extent permissible under applicable laws;
(4) Monitor, review, access, or block electronic data stored on an electronic communication device supplied by or paid for in whole or in part by the employer or stored on an employer’s network, to the extent permissible under applicable laws;
(5) Access information about an employee or applicant that is in the public domain or is otherwise obtained in compliance with the Workplace Privacy Act;
(6) Conduct an investigation or require an employee to cooperate in an investigation under any of the following circumstances:
(a) If the employer has specific information about potentially wrongful activity taking place on the employee’s personal Internet account, for the purpose of ensuring compliance with applicable laws, regulatory requirements, or prohibitions against work-related employee misconduct; or
(b) If the employer has specific information about an unauthorized download or transfer of the employer's private proprietary information, private financial data, or other confidential information to an employee’s personal Internet account;
(7) Take adverse action against an employee for downloading or transferring an employer’s private proprietary information or private financial data to a personal Internet account without the employer’s authorization;
(8) Comply with requirements to screen employees or applicants before hiring or to monitor or retain employee communications that are established by state or federal law or by a self-regulatory organization as defined in 15 U.S.C. 78c(a)(26), as such section existed on January 1, 2016; or
(9) Comply with a law enforcement investigation conducted by a law enforcement agency.
III. SANCTIONS/REMEDIES
The Workplace Privacy Act establishes, in addition to any other available remedy, a civil cause of action in favor of an aggrieved employee or applicant. Such an action must be brought within one year after the date of the alleged violation or the discovery of the alleged violation, whichever is later. The action may be filed directly in the district court of the county where the alleged violation occurred and the district court is authorized to award appropriate relief, including temporary or permanent injunctive relief, general and special damages, and reasonable attorney’s fees, and costs.
IV. CONCLUSION
While it does not appear that employers have been requesting or requiring employees or applicants to disclose their usernames or passwords for their personal Internet accounts in order to protect proprietary information or prevent exposure to legal liability for their employee’s actions to any great extent, employers should take steps to ensure that they are in compliance with the requirements of the new Workplace Privacy Act. Internet and social media policies and procedures should be reviewed to ensure that managers and others involved in hiring and workplace investigation activities understand what is prohibited by the new law and what actions are allowed.